Tool: list_involved_entities
Lists all involved entities for a given case alert in Chronicle SIEM.
Retrieves a paginated list of all entities associated with a specific SOAR case alert.
Workflow Integration:- Used to populate a list of entities in the SOAR UI for a given case alert. - Enables an analyst to quickly see all related entities when starting an investigation.
Use Cases:- Display all involved entities on a case alert detail page. - A playbook iterates through all entities to check for specific indicators.
Args: project_id (str): Google Cloud project ID (required). customer_id (str): Chronicle customer ID (required). region (str): Chronicle region (e.g., "us", "europe") (required). case_id (str): The numeric ID of the parent case (e.g., "1"). case_alert_id (str): The numeric ID of the specific alert within the case (e.g., "789"). This is not the descriptive alert identifier string. You can find this numeric ID as the last part of the 'Name' field when you list alerts using 'list_case_alerts'. page_size (int, optional): The maximum number of entities to return. page_token (str, optional): A token for fetching the next page of results. filter (str, optional): A filter to apply to the list of entities. order_by (str, optional): The field to order the results by.
Returns: ListInvolvedEntitiesResponse: A response object containing a list of InvolvedEntity objects and a next page token. Returns an error message if the parent case alert is not found.
Example Usage: # List all involved entities for a specific case alert # NOTE: 'case_alert_id' must be the numeric ID from the alert's resource Name. list_involved_entities(project_id='123', region='us', customer_id='abc', case_id='1', case_alert_id='456')
The following sample demonstrate how to use curl
to invoke the list_involved_entities
MCP tool.
| Curl Request |
|---|
curl --location 'https://chronicle.googleapis.com/mcp' \ --header 'content-type: application/json' \ --header 'accept: application/json, text/event-stream' \ --data '{ "method": "tools/call", "params": { "name": "list_involved_entities", "arguments": { // provide these details according to the tool' s MCP specification } } , "jsonrpc" : "2.0" , "id" : 1 } ' |
Input Schema
Request message for ListInvolvedEntities.
ListInvolvedEntitiesRequest
| JSON representation |
|---|
{ "projectId" : string , "customerId" : string , "region" : string , "caseId" : string , "caseAlertId" : string , "pageSize" : integer , "pageToken" : string , "filter" : string , "orderBy" : string } |
| Fields | |
|---|---|
projectId
|
Project ID of the customer. |
customerId
|
Customer ID of the customer. |
region
|
Region of the customer. |
caseId
|
Case ID of the case alert. |
caseAlertId
|
Case alert ID of the case alert. |
pageSize
|
Page size. |
pageToken
|
Page token. |
filter
|
Filter. |
orderBy
|
Order by. |
Output Schema
Response message for ListInvolvedEntities.
ListInvolvedEntitiesResponse
| JSON representation |
|---|
{
"involvedEntities"
:
[
{
object (
|
| Fields | |
|---|---|
involvedEntities[]
|
The list of InvolvedEntities. |
nextPageToken
|
A token, which can be sent as |
totalSize
|
The total number of InvolvedEntities. |
InvolvedEntity
| JSON representation |
|---|
{ "name" : string , "id" : string , "type" : string , "threatSource" : string , "operatingSystem" : string , "networkTitle" : string , "environment" : string , "additionalProperties" : string , "sourceSystemUri" : string , "entityUri" : string , "fields" : [ { object ( |
name
string
Identifier. The unique name(ID) of the InvolvedEntity. Format: projects/{project}/locations/{location}/instances/{instance}/cases/{case}/caseAlerts/{case_alert}/involvedEntities/{involved_entity}
id
string ( int64
format)
Required. Immutable. The id of the entity.
type
string
Required. Immutable. The type of the entity. Could be: HOSTNAME, USB, PROCESS, ADDRESS, …
threatSource
string
Optional. Threat source of the entity.
operatingSystem
string
Optional. Operating system related to the entity.
networkTitle
string
Optional. Network name related to the entity.
environment
string
Output only. Immutable. The environment the entity belongs to. Derived from the case and alert.
additionalProperties
string
Optional. Stores additional properties, as a JSON format.
sourceSystemUri
string
Optional. Output only. Immutable. Link to the source system.
entityUri
string
Optional. Output only. The full url of the entity, calculated using the source_system_uri and the entity data. Optional if the source_system_uri is not defined.
fields[]
object (
ContextGroup
)
Output only. A list of context group items, which are calculated based on the entity's properties.
alertIdentifier
string
Output only. The alert identifier of the alert that the involved entity is associated with.
caseId
integer
Output only. The id of the case that the involved entity is associated with.
identifier
string
Output only. The identifier name of the involved entity.
Union field _suspicious
.
_suspicious
can be only one of the following:
suspicious
boolean
Required. Describes if the entity is suspicious or not.
Union field _internal
.
_internal
can be only one of the following:
internal
boolean
Required. Indicates whether this entity is internal. This setting is configured in the application's settings, and any entity type can be designated as internal.
Union field _network_priority
.
_network_priority
can be only one of the following:
networkPriority
integer
Optional. Network priority of a related network.
Union field _attacker
.
_attacker
can be only one of the following:
attacker
boolean
Optional. Describes if the entity represents an attacker or not.
Union field _pivot
.
_pivot
can be only one of the following:
pivot
boolean
Optional. Describes if the entity is a pivot or not. A pivot entity is an entity which is common to two or more cases. In the case graph, it is connected to other entities by a dotted line.
Union field _manually_created
.
_manually_created
can be only one of the following:
manuallyCreated
boolean
Output only. Immutable. Describes if the entity was created by the system (as part of the ingestion flow), or manually by the user.
Union field _enriched
.
_enriched
can be only one of the following:
enriched
boolean
Output only. Indicates whether the entity has been enriched. An entity is enriched when an action adds information from an external system.
Union field _artifact
.
_artifact
can be only one of the following:
artifact
boolean
Output only. Describes if the entity is an artifact or not.
Union field _vulnerable
.
_vulnerable
can be only one of the following:
vulnerable
boolean
Output only. Describes if the entity is vulnerable or not.
ContextGroup
| JSON representation |
|---|
{ "displayName" : string , "items" : [ { object ( |
displayName
string
Output only. The name of the context group. Default context group is called "Default".
items[]
object (
ContextGroupItem
)
Output only. A list of items in the group.
Union field _highlighted
.
_highlighted
can be only one of the following:
highlighted
boolean
Output only. Is the context group highlighted.
Union field _hidden
.
_hidden
can be only one of the following:
hidden
boolean
Output only. Is the context group hidden.
ContextGroupItem
| JSON representation |
|---|
{ "name" : string , "originalName" : string , "value" : string } |
| Fields | |
|---|---|
name
|
Output only. The name of the property |
originalName
|
Output only. The original name of the property. |
value
|
Output only. The property's value. |
Tool Annotations
Destructive Hint: ❌ | Idempotent Hint: ✅ | Read Only Hint: ✅ | Open World Hint: ❌
